From bf5e2f246eff55dfc33318f0ffb4572a56f7645a Mon Sep 17 00:00:00 2001
From: Trevor Livingston <trlivingston@paypal.com>
Date: Fri, 5 Sep 2014 09:56:55 -0500
Subject: [PATCH] tls: `checkServerIdentity` option

Allow overriding `checkServerIdentity` function, when connecting to a
TLS server.

Reviewed-By: Fedor Indutny <fedor@indutny.com>
---
 doc/api/tls.markdown                               |  4 +
 lib/_tls_wrap.js                                   |  8 +-
 .../test-https-client-checkServerIdentity.js       | 85 ++++++++++++++++++++++
 3 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 test/simple/test-https-client-checkServerIdentity.js

diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
index 36d88a7..daa169c 100644
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@@ -196,6 +196,10 @@ automatically set as a listener for the [secureConnection][] event.  The
     which is not authorized with the list of supplied CAs. This option only
     has an effect if `requestCert` is `true`. Default: `false`.
 
+  - `checkServerIdentity(servername, cert)`: Provide an override for checking
+    server's hostname against the certificate. Should return an error if verification
+    fails. Return `undefined` if passing.
+
   - `NPNProtocols`: An array or `Buffer` of possible NPN protocols. (Protocols
     should be ordered by their priority).
 
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 90adefa..4ec9280 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -822,10 +822,14 @@ exports.connect = function(/* [port, host], options, cb */) {
 
   var defaults = {
     rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED,
-    ciphers: tls.DEFAULT_CIPHERS
+    ciphers: tls.DEFAULT_CIPHERS,
+    checkServerIdentity: tls.checkServerIdentity
   };
+
   options = util._extend(defaults, options || {});
 
+  assert(typeof options.checkServerIdentity === 'function');
+
   var hostname = options.servername ||
                  options.host ||
                  options.socket && options.socket._host,
@@ -912,7 +916,7 @@ exports.connect = function(/* [port, host], options, cb */) {
       // Verify that server's identity matches it's certificate's names
       if (!verifyError) {
         var cert = result.getPeerCertificate();
-        verifyError = tls.checkServerIdentity(hostname, cert);
+        verifyError = options.checkServerIdentity(hostname, cert);
       }
 
       if (verifyError) {
diff --git a/test/simple/test-https-client-checkServerIdentity.js b/test/simple/test-https-client-checkServerIdentity.js
new file mode 100644
index 0000000..a985d23
--- /dev/null
+++ b/test/simple/test-https-client-checkServerIdentity.js
@@ -0,0 +1,85 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+if (!process.versions.openssl) {
+  console.error('Skipping because node compiled without OpenSSL.');
+  process.exit(0);
+}
+
+var common = require('../common');
+var assert = require('assert');
+var https = require('https');
+var fs = require('fs');
+var path = require('path');
+
+var options = {
+  key: fs.readFileSync(path.join(common.fixturesDir, 'keys/agent3-key.pem')),
+  cert: fs.readFileSync(path.join(common.fixturesDir, 'keys/agent3-cert.pem'))
+};
+
+var reqCount = 0;
+
+var server = https.createServer(options, function (req, res) {
+  ++reqCount;
+  res.writeHead(200);
+  res.end();
+  req.resume();
+}).listen(common.PORT, function () {
+  authorized();
+});
+
+function authorized() {
+  var req = https.request({
+    port: common.PORT,
+    rejectUnauthorized: true,
+    ca: [fs.readFileSync(path.join(common.fixturesDir, 'keys/ca2-cert.pem'))]
+  }, function (res) {
+    assert(false);
+  });
+  req.on('error', function (err) {
+    override();
+  });
+  req.end();
+}
+
+function override() {
+  var options = {
+    port: common.PORT,
+    rejectUnauthorized: true,
+    ca: [fs.readFileSync(path.join(common.fixturesDir, 'keys/ca2-cert.pem'))],
+    checkServerIdentity: function (host, cert) {
+      return false;
+    }
+  };
+  options.agent = new https.Agent(options);
+  var req = https.request(options, function (res) {
+    assert(req.socket.authorized);
+    server.close();
+  });
+  req.on('error', function (err) {
+    throw err;
+  });
+  req.end();
+}
+
+process.on('exit', function () {
+  assert.equal(reqCount, 1);
+});
-- 
2.7.4